Selling the “Yellow Cow”: How to Sell Threat Modeling to Your Leadership Team Beyond Its Security Benefits

Michael Bernhardt
|
Product Security Manager, Telefónica Germany
March 15, 2023

The Yellow Cow is a picture by German artist Franz Marc (Source: https://en.wikipedia.org/wiki/Yellow_Cow#/media/File:Franz_Marc-The_Yellow_Cow-1911.jpg). In this artwork, Marc expressed the conflict between the inner and outer perception of the world. Additionally, yellow stands for inspiration and power. Leveraging this metaphor, let us explore how threat modeling, if implemented successfully, can help put your organization in a stronger position beyond the initial security goal.

Threat modeling comes with cost and effort. It’s not uncommon for organizations to pursue more cost-efficient paths as long they allow them to “check the box.” In my article “Becoming the Martian: How to Scale Threat Modeling in Your Organization,” I have elaborated on why threat modeling has not yet been a C-level topic in most companies. The article should provide the arguments to justify a threat modeling program being the more sustainable solution for your organization.

Many organizations started exploring threat modeling due to the aspiration for more transparency of the risks resulting from their products and services. However, in my experience, threat modeling activities not only address and improve the security posture of a company and its products but, oftentimes, help uncover adjacent fields where the organization needs more maturity.

The added value that threat modeling can create for an organization beyond its initial scope in security includes:

  1. Skilling up your workforce
    The best guidance is the one that is not only written down but practically applied. Security concepts often don’t come naturally to a functional-driven development mindset. Elaborating on the idea as part of the assessment is the best way to see it being applied.
  2. Drive technical standardization
    Standardization happens not only on the big building blocks but also on the sub-component level. Nowadays, development concepts build tightly on Open Source, allowing developing teams to select from established solutions. However, it also offers a wide variety of good and bad options. Threat modeling provides a sound basis for proposing well-evaluated solutions and establishing cross-functional exchange on best solutions.
  3. Improve product documentation
    Good documentation always comes first. Yet, it’s not what’s always seen in practice. A well-documented model of an application is the basis for conducting an assessment. Often, it is the pre-work of the assessment where documentation is pulled together and streamlined. Once that is done, it not only helps the security team but benefits the general documentation efforts for the application.
  4. Make reassessment easy
    Knowing every application in a larger organization is nearly impossible. Reiterating the same questions will quickly kill the motivation of any experts. A well-documented model makes it easier to involve more participants who can bring fresh perspectives to the assessment process, avoiding iterating on the same threats.
  5. Prepare the organization for certification
    If a certification request hits an organization without advance notice, it can cause tremendous efforts in putting together the right processes. As part of your threat modeling program, you will inevitably touch on various aspects of a normative framework. Over time, required processes and the respective documentation will derive out of it in a structured manner, letting you undergo certification in a much more streamlined and mature manner.
  6. Reduce mean time to resolve (MTTR)
    Every organization is built upon humans, and relationships are the foundation. If the security team approaches development teams only in the event of breaches, we can’t always expect a quick turnaround, given the lack of trust and familiarity with the subject. Running a threat modeling program not only helps identify risks and address them early, but also helps bridge the gap between the security and development teams. So in times of emergency (hopefully not as significant as a breach), the trust established with the development team and the security skills they have developed as part of the program will likely reduce your overall mean time to resolve (MTTR).

Nowadays, information security offers numerous tools and concepts to keep pace with modern development principles. Let threat modeling be the “Yellow Cow” to energize your organization, where security is perceived as an enabler. I hope the six reasons above inspire you to help reframe how your management team thinks about threat modeling – which supports the maturity of an organization in various areas beyond security.